likwid/backend/.env.example

# Likwid Backend Configuration
# Copy this file to .env and configure as needed

# Database connection URL
DATABASE_URL=postgres://likwid:likwid@localhost:5432/likwid

# Server configuration
SERVER_HOST=127.0.0.1
SERVER_PORT=3000

# =============================================================================
# CORS
# =============================================================================
# In development, CORS defaults to allowing any origin.
# In production, set an allowlist (comma-separated) to restrict browser access.
# Example:
# CORS_ALLOWED_ORIGINS=https://openlikwid.org,https://staging.openlikwid.org
CORS_ALLOWED_ORIGINS=

# JWT Secret for authentication tokens
# IMPORTANT: Change this in production!
JWT_SECRET=change-me-in-production

# =============================================================================
# RATE LIMITING
# =============================================================================
# The backend applies a global fixed-window rate limiter (60s window).
#
# - Set RATE_LIMIT_ENABLED=false to disable all rate limiting.
# - Set any *_RPM variable to 0 to disable that specific limiter.
#
# Per-IP rate limit (all endpoints except / and /health)
RATE_LIMIT_IP_RPM=300
# Per-user rate limit (only applies when Authorization: Bearer <jwt> is present)
RATE_LIMIT_USER_RPM=1200
# Auth endpoints rate limit (applies per IP for /api/auth/login and /api/auth/register)
RATE_LIMIT_AUTH_RPM=30
# Master toggle
RATE_LIMIT_ENABLED=true

# =============================================================================
# DEMO MODE
# =============================================================================
# Enable demo mode for public demonstration instances.
# When enabled:
# - Restricts destructive actions (delete communities, modify instance settings)
# - Enables demo accounts (contributor, moderator, observer) with password: demo123
# - Loads seed data with realistic governance history
# - Data can be reset via POST /api/demo/reset
#
# Set to true for demo/showcase instances, false for production
DEMO_MODE=false
test/docs: add rate limiting regression tests 2026-02-12 10:47:38 +00:00			`# Likwid Backend Configuration`
			`# Copy this file to .env and configure as needed`

			`# Database connection URL`
			`DATABASE_URL=postgres://likwid:likwid@localhost:5432/likwid`

			`# Server configuration`
			`SERVER_HOST=127.0.0.1`
			`SERVER_PORT=3000`

security: configurable CORS allowlist 2026-02-12 11:17:11 +00:00			`# =============================================================================`
			`# CORS`
			`# =============================================================================`
			`# In development, CORS defaults to allowing any origin.`
			`# In production, set an allowlist (comma-separated) to restrict browser access.`
			`# Example:`
			`# CORS_ALLOWED_ORIGINS=https://openlikwid.org,https://staging.openlikwid.org`
			`CORS_ALLOWED_ORIGINS=`

test/docs: add rate limiting regression tests 2026-02-12 10:47:38 +00:00			`# JWT Secret for authentication tokens`
			`# IMPORTANT: Change this in production!`
			`JWT_SECRET=change-me-in-production`

			`# =============================================================================`
			`# RATE LIMITING`
			`# =============================================================================`
			`# The backend applies a global fixed-window rate limiter (60s window).`
			`#`
			`# - Set RATE_LIMIT_ENABLED=false to disable all rate limiting.`
			`# - Set any *_RPM variable to 0 to disable that specific limiter.`
			`#`
			`# Per-IP rate limit (all endpoints except / and /health)`
			`RATE_LIMIT_IP_RPM=300`
			`# Per-user rate limit (only applies when Authorization: Bearer <jwt> is present)`
			`RATE_LIMIT_USER_RPM=1200`
			`# Auth endpoints rate limit (applies per IP for /api/auth/login and /api/auth/register)`
			`RATE_LIMIT_AUTH_RPM=30`
			`# Master toggle`
			`RATE_LIMIT_ENABLED=true`

			`# =============================================================================`
			`# DEMO MODE`
			`# =============================================================================`
			`# Enable demo mode for public demonstration instances.`
			`# When enabled:`
			`# - Restricts destructive actions (delete communities, modify instance settings)`
			`# - Enables demo accounts (contributor, moderator, observer) with password: demo123`
			`# - Loads seed data with realistic governance history`
			`# - Data can be reset via POST /api/demo/reset`
			`#`
			`# Set to true for demo/showcase instances, false for production`
			`DEMO_MODE=false`